feat: add puppetapi approle/policy

2024-12-15 17:07:01 +11:00 · 2024-12-15 17:07:01 +11:00 · 63dd355311
commit 63dd355311
parent bfda3f2f72
3 changed files with 19 additions and 1 deletions
--- a/auth_approle_puppetapi.tf
+++ b/auth_approle_puppetapi.tf
@ -0,0 +1,14 @@
+resource "vault_approle_auth_backend_role" "puppetapi" {
+  role_name      = "puppetapi"
+  bind_secret_id = false
+  token_policies = ["puppetapi_read_tokens"]
+  token_ttl      = 30
+  token_max_ttl  = 30
+  token_bound_cidrs = [
+    "198.18.17.3/32",
+    "198.18.13.32/32",
+    "198.18.13.33/32",
+    "198.18.13.34/32",
+    "198.18.13.46/32"
+  ]
+}
--- a/policies.tf
+++ b/policies.tf
@ -11,7 +11,8 @@ locals {
    "policies/rundeck",
    "policies/ssh-host-signer",
    "policies/sshca",
-    "policies/kv/service/glauth/services"
+    "policies/kv/service/glauth/services",
+    "policies/kv/service/puppetapi",
  ]
 }

--- a/policies/kv/service/puppetapi/puppetapi_read_tokens.hcl
+++ b/policies/kv/service/puppetapi/puppetapi_read_tokens.hcl
@ -0,0 +1,3 @@
+path "kv/data/service/puppetapi/tokens" {
+    capabilities = ["read"]
+}